kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Set the ACIs on the base DN

Browse Source 
Allow users to change their own password, but nothing else (no search,
no read, no write)

This will only run when setting up the 389-dirsrv instance for the first
time, this has been applied on barnard by editing the dn (see
#128 (comment))

Closes #128
This commit is contained in:
Greg Karékinian
2020-02-12 16:13:45 +01:00
parent 396cc344fb
commit e56faab5b1
2 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
site-cookbooks/kosmos-dirsrv/files/users.ldif
View File

@@ -2,3 +2,5 @@ dn: ou=users,dc=kosmos,dc=org
objectClass: top objectClass: top
objectClass: organizationalUnit objectClass: organizationalUnit
ou: users ou: users
aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)

2
site-cookbooks/kosmos-dirsrv/metadata.rb
View File

@@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
license 'MIT' license 'MIT'
description 'Installs/Configures 389 Directory Server' description 'Installs/Configures 389 Directory Server'
long_description 'Installs/Configures 389 Directory Server' long_description 'Installs/Configures 389 Directory Server'
version '0.1.1' version '0.1.2'
chef_version '>= 14.0' chef_version '>= 14.0'
depends "firewall" depends "firewall"